Research Papers

Eliminate Surprises with Security Assurance and Testing

By Mike Rothman

We have always been fans of making sure applications and infrastructure are ready for prime time before letting them loose on the world. It’s important not to just use basic scanner functions either – your adversaries are unlikely to limit their tactics to things you find in an open source scanner. Security Assurance and Testing enables organizations to limit the unpleasant surprises that happen when launching new stuff or upgrading infrastructure.

Adversaries continue to innovate and improve their tactics at an alarming rate. They have clear missions, typically involving exfiltrating critical information or impacting the availability of your technology resources. They have the patience and resources to achieve their missions by any means necessary. And it’s your job to make sure deployment of new IT resources doesn’t introduce unnecessary risk.

In our Eliminating Surprises with Security Assurance and Testing paper, we talk about the need for a comprehensive process to identify issues – before hackers do it for you. We list a number of critical tactics and programs to test in a consistent and repeatable manner, and finally go through a couple use cases to show how the process would work at both the infrastructure and application levels.

To avoid surprise we suggest a security assurance and testing process to ensure the environment is ready to cope with real traffic and real attacks. This goes well beyond what development organizations typically do to ‘test’ their applications, or ops does to ‘test’ their stacks.

It also is different from a risk assessment or a manual penetration test. Those “point in time” assessments aren’t necessarily comprehensive. The testers may find a bunch of issues but they will miss some. So remediation decisions are made with incomplete information about the true attack surface of infrastructure and applications.

We would like to thank our friends at Ixia for licensing this content. Without the support of our clients, our open research model wouldn’t be possible.

Contact

About

Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster by helping you cut through the noise and providing clear, actionable, pragmatic advice on securing your organization.